Businesses must comply with the Act

Businesses must ensure any electronic messages they send are not considered spam.

Failure to comply could mean a fine of up to $500,000.

The business could also be made to pay the victims compensation up to the amount of loss suffered or damages up to the amount of loss suffered or damages up to the amount of profit that was made as a result of sending the spam.

What we mean by commercial electronic messages

The electronic message is considered spam only if it is commercial in nature - for instance marketing or promoting goods, services or land, or directing the recipient to a location where a commercial transaction can take place (such as a website).

It is important to note that providing a hyperlink to a company web page in the signature of an otherwise non-commercial email would make it commercial.

There are a large number of commercial electronic messages that can be sent legitimately. They are only spam if they are sent without the consent of the recipient - as unsolicited messages.

A single message may be spam. The message does not need to be sent or received in bulk.

Which messages are not commercial electronic messages?

The Act provides that the following common messages between organisations and clients/customers are not commercial electronic messages:

Responses to a request for a quote or estimate

Messages that facilitate, complete or confirm a commercial transaction that the recipient previously agreed to

Warranty information, product recalls and safety and security information about goods or services used or purchased by the recipient

Factual information about a subscription, membership, account, loan or similar ongoing relationship

Information directly related to employment or a related benefit plan in which the recipient is currently involved

Delivers goods and services that the recipient is entitled to receive under the terms of a previous transaction.

If messages fall into any of the above descriptions then it is not spam and doesn’t have to contain information about the sender or a functioning unsubscribe facility.

Privacy principles

Passing on email addresses, without permission, to another organisation or business may breach the Privacy Act.

Step One - Consent

Commercial messages must be sent only when you have express consent, inferred consent, or deemed consent.

Express consent

Express consent is a direct indication from the person you wish to contact that it is okay to send the message(s).

Express consent can be gained in a variety of ways such as:

Filling in a paper form

Ticking a box on a website

A phone or face-to-face conversation.

Businesses should keep a record of all instances where consent is given, including who gave the consent and how. Under the Act it is up to the sender to prove that consent exists.

It is also advisable to verify that consent has come from the actual holder of a particular electronic address. This can be done by requesting that the recipient reply confirming they would like to receive future messages.

If you are using an existing database of addresses and you are not sure if you have the express consent of the people listed you will need to obtain it (even if you have been sending electronic messages to these customers for years).

Inferred consent

Inferred consent is when the person you wish to contact has not directly instructed you to send them a message, but it is still clear that there is a reasonable expectation that messages will be sent.

For example, the address-holder provided their email address when purchasing goods and services in the general expectation that there will be follow-up communication.

If someone has been on your existing address list and has not ‘unsubscribed’, it does not mean that consent can be inferred. If you are not confident that the existing relationship is strong enough to infer consent, you should obtain express consent. Inferred consent is limited in its application.

For example if people join a tennis club you can infer consent to send them a tennis newsletter, but you could not infer consent to send them an investment newsletter.

Deemed consent

Deemed consent is when someone conspicuously publishes their work-related electronic address (e.g. on a website, brochure or magazine).

However, if a publication includes a statement that the person does not want to receive unsolicited commercial electronic messages at that address, consent cannot be deemed.

There also must be a strong link between the message and the recipient’s business.

Step Two - Identify

Commercial messages must always clearly identify the business responsible for sending the message and how they can be contacted.

Sometimes you might use another organisation, a third party, to send commercial electronic messages on your behalf. This third party must include accurate information about your business, i.e. name and contact details.

The amount of information may depend on the medium by which the message is sent. Text messages impose limitations on the amount that can be displayed.

Identification details that are provided must be reasonably likely to be accurate for a period of 30 days after the message is sent. This requirement ensures that addressees have a reasonable chance of being able to contact you.

Step Three - Unsubscribe

Commercial messages must contain a functioning unsubscribe facility, allowing people to state that commercial messages should not be sent to them in the future.

It needs to be clearly presented, easy to use and free of charge. It could be as simple as a line in your message saying, ‘If you do not wish to receive future messages, send a reply with UNSUBSCRIBE’ in the subject line.

However, if you have an ongoing arrangement/contract with the recipient of your message waiving this requirement you will not need to include an unsubscribe function.

You must honour a request to unsubscribe within five working days.

Similar to the identification of the message’s sender (in step 2) the unsubscribe facility must be reasonably likely to remain accurate and functional for a 30 day period. It need not be an automated process, but should be reliable.

Fax (facsimile) messages

As of 20 October 2011, the Department of Internal Affairs is accepting complaints regarding fax spam.

An amendment to the schedule of the Unsolicited Electronic Messages Act 2007 means commercial facsimiles are now considered 'electronic messages' for the purposes of the Act.

Businesses using fax technology as a means of marketing and promoting their goods and services will now need to comply with the consent and unsubscribe provisions contained within the Act:

The sender must be able to prove consent existed for the fax to be sent to the recipient

The sender must also provide the recipient with a free method of unsubscribing via the same mode of communication. The unsubscribe facility must be clearly presented and easy to use. It would also be best business practice to provide the recipient with an alternative method of unsubscribing (i.e. phone or email address)

Faxes will also be required to contain accurate sender information which clearly identfies the sender of the message and how they can be contacted.